cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,087 Commits 1 Branch 0 Tags 11 MiB
C 62.7%
HTML 11.4%
Makefile 11.2%
Shell 8.9%
CMake 2%
Other 3.8%
be4c85b16e
Go to file
Hugo Lefeuvre be4c85b16e Fix NULL pointer dereference in TIFFPrintDirectory 
The TIFFPrintDirectory function relies on the following assumptions,
supposed to be guaranteed by the specification:

(a) A Transfer Function field is only present if the TIFF file has
    photometric type < 3.

(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field
    has count SamplesPerPixel - (Color Channels) and contains
    information about supplementary channels.

While respect of (a) and (b) are essential for the well functioning of
TIFFPrintDirectory, no checks are realized neither by the callee nor
by TIFFPrintDirectory itself. Hence, following scenarios might happen
and trigger the NULL pointer dereference:

(1) TIFF File of photometric type 4 or more has illegal Transfer
    Function field.

(2) TIFF File has photometric type 3 or less and defines a
    SamplesPerPixel field such that SamplesPerPixel > Color Channels
    without defining all extra samples in the ExtraSamples fields.

In this patch, we address both issues with respect of the following
principles:

(A) In the case of (1), the defined transfer table should be printed
    safely even if it isn't 'legal'. This allows us to avoid expensive
    checks in TIFFPrintDirectory. Also, it is quite possible that
    an alternative photometric type would be developed (not part of the
    standard) and would allow definition of Transfer Table. We want
    libtiff to be able to handle this scenario out of the box.

(B) In the case of (2), the transfer table should be printed at its
    right size, that is if TIFF file has photometric type Palette
    then the transfer table should have one row and not three, even
    if two extra samples are declared.

In order to fulfill (A) we simply add a new 'i < 3' end condition to
the broken TIFFPrintDirectory loop. This makes sure that in any case
where (b) would be respected but not (a), everything stays fine.

(B) is fulfilled by the loop condition
'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as
long as (b) is respected.

Naturally, we also make sure (b) is respected. This is done in the
TIFFReadDirectory function by making sure any non-color channel is
counted in ExtraSamples.

This commit addresses CVE-2018-7456.
2018-04-11 23:09:59 -04:00
archive Remove all $Id and $Headers comments with CVS versions 2017-11-30 18:02:46 +01:00
build Add libzstd to gitlab-ci 2017-12-21 14:52:30 +01:00
contrib Fix some typos 2018-02-24 21:47:52 +01:00
html Fix some typos 2018-02-24 21:47:52 +01:00
libtiff Fix NULL pointer dereference in TIFFPrintDirectory 2018-04-11 23:09:59 -04:00
m4 Remove all $Id and $Headers comments with CVS versions 2017-11-30 18:02:46 +01:00
man Fix some typos 2018-02-24 21:47:52 +01:00
port port: Clean up NetBSD sources and headers to build standalone 2018-03-26 14:20:21 +01:00
test Remove remaining .cvsignore files 2017-12-01 15:55:10 +01:00
tools tiffset: Add support for LONG8, SLONG8 and IFD8 field types 2018-03-23 22:11:17 +00:00
.appveyor.yml port: Clean up NetBSD sources and headers to build standalone 2018-03-26 14:20:21 +01:00
.gitignore .gitignore: add patterns for build from root 2017-12-01 16:00:49 +01:00
.gitlab-ci.yml Add libzstd to gitlab-ci 2017-12-21 14:52:30 +01:00
.travis.yml build/gitlab-ci and build/travis-ci: add a 'make dist' step in autoconf_build() target, to check we are release-ready 2017-12-01 11:48:17 +01:00
aclocal.m4 * html/bugs.html: Replace Andrey Kiselev with Bob Friesenhahn for 2016-04-08 02:34:00 +00:00
autogen.sh * libtiff 4.0.0alpha4 released. 2009-08-27 17:40:49 +00:00
ChangeLog Fix some typos 2018-02-24 21:47:52 +01:00
CMakeLists.txt port: Add strtol, strtoll and strtoull 2018-03-23 22:37:17 +00:00
COMMITTERS Add myself to COMMITTERS 2014-11-19 22:26:42 +00:00
configure.ac port: Add strtol, strtoll and strtoull 2018-03-23 22:37:17 +00:00
configure.com Remove all $Id and $Headers comments with CVS versions 2017-11-30 18:02:46 +01:00
COPYRIGHT
HOWTO-RELEASE HOWTO-RELEASE: update to use signed tags 2017-12-01 10:58:09 +01:00
HOWTO-SECURITY-RELEASE note vs in topic and mailing list url 2012-04-06 16:45:55 +00:00
libtiff-4.pc.in * libtiff-4.pc.in: Added libtiff pkg-config .pc file support. 2010-11-27 20:54:51 +00:00
Makefile.am Makefile.am: update to reflect removal of README.vms and README -> README.md 2017-11-30 18:09:43 +01:00
Makefile.vc Remove all $Id and $Headers comments with CVS versions 2017-11-30 18:02:46 +01:00
nmake.opt Remove all $Id and $Headers comments with CVS versions 2017-11-30 18:02:46 +01:00
README.md README.md: use markdown syntax for hyperlinks 2017-12-01 10:52:18 +01:00
RELEASE-DATE * configure.ac: libtiff 4.0.9 released. 2017-11-18 20:00:43 +00:00
SConstruct Remove all $Id and $Headers comments with CVS versions 2017-11-30 18:02:46 +01:00
tiff.spec Fix some typos 2018-02-24 21:47:52 +01:00
TODO Remove all $Id and $Headers comments with CVS versions 2017-11-30 18:02:46 +01:00
VERSION * configure.ac: libtiff 4.0.9 released. 2017-11-18 20:00:43 +00:00

README.md

TIFF Software Distribution

This file is just a placeholder; all the documentation is now in HTML in the html directory. To view the documentation point your favorite WWW viewer at html/index.html;

e.g.

firefox html/index.html

If you don't have an HTML viewer then you can read the HTML source or fetch a PostScript version of this documentation from the directory

http://download.osgeo.org/libtiff/

If you can't hack either of these options then basically what you want to do is:

% ./configure
% make
% su
# make install

More information, email contacts, and mailing list information can be found online at http://www.simplesystems.org/libtiff/

Source code repository

GitLab

Bug database

Bugzilla

Use and Copyright

Silicon Graphics has seen fit to allow us to give this work away. It is free. There is no support or guarantee of any sort as to its operations, correctness, or whatever. If you do anything useful with all or parts of it you need to honor the copyright notices. I would also be interested in knowing about it and, hopefully, be acknowledged.

The legal way of saying that is:

Copyright (c) 1988-1997 Sam Leffler Copyright (c) 1991-1997 Silicon Graphics, Inc.

Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that (i) the above copyright notices and this permission notice appear in all copies of the software and related documentation, and (ii) the names of Sam Leffler and Silicon Graphics may not be used in any advertising or publicity relating to the software without the specific, prior written permission of Sam Leffler and Silicon Graphics.

THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

IN NO EVENT SHALL SAM LEFFLER OR SILICON GRAPHICS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.